Virtualization-Based Sandboxes are Vulnerable to Advanced Malware
Sandboxes are commonly deployed to detect malware, and in many cases, they can be quite effective. However, advanced malware families are capable of outsmarting conventional or even next-generation sandboxes that are based on virtualization technology, which is to say that they run on virtual machines.
Two Types of Sandboxes: Virtualization and Emulation
Sandboxes are typically developed using one of two types of architectures: virtualization or emulation. Virtualization-based sandboxes are faster and easier to build. However, they are blind to much of the activity that occurs inside a program—which dramatically limits their ability to detect evasive malware. Another problem virtualization-based sandboxes face is stealth. All sandboxes try to avoid being detected by malware, but advanced malware can discover the hypervisor technology that’s present in all virtualization-based sandboxes, and then hide their malicious behavior to avoid detection. This is a serious shortcoming.
As an alternative to virtualization, developers can use emulation to develop a sandbox—either by emulating the operating system (OS emulation) or by emulating the hardware (full system emulation). Emulation-based sandboxes are more difficult to develop, but they offer several advantages over those based on virtualization. Hardware emulation, where the full system is emulated, including the CPU, memory, and I/O devices, is the premier emulation method as it provides the greatest stealth and the most visibility into all of the behaviors engineered into the programs it analyzes.
In this post, we are focusing on the vulnerabilities of virtualization-based sandboxes, but watch for an upcoming post to learn more about emulation-based sandboxes and why full system emulation is the most effective at detecting advanced malware.
Advanced Malware Can Detect Virtualization-Based Sandboxes
Today’s advanced malware is engineered to recognize when it is running in a sandbox. If it can accomplish that objective, the malware will avoid taking any malicious actions and evade detection. When that happens, the sandbox will likely miss-label the file as benign, and allow it to enter the network. Subsequently, when the malware finds itself on a real machine, it will begin its malicious behavior.
Unfortunately, sandboxes that use virtualization technology can’t hide. Such sandboxes typically utilize virtual machine (VM) environments like VMware, Xen, KVM, Parallels/Odin and VDI. This allows a user or an administrator to run one or more “guest” operating systems on top of another “host” operating system. Each guest operating system executes within a virtual environment and allows managed access to both virtual and actual hardware.
But all of these virtualization technologies insert artifacts that allow advanced malware to discover that it is running in a virtual environment. These artifacts include additional operating system files and processes, supplementary CPU features, and other components necessary for the virtualization to work. Advanced malware looks for these artifacts to detect the presence of a VM or sandbox.
Advanced Malware Techniques
The techniques used by advanced malware to recognize a virtual machine environment include:
- Examining specific hardware parameters that are unique to either a VM or real physical environments. Advanced malware may query various attributes like serial numbers or other values belonging to the motherboard, processor, SCSI controller, etc.
- Checking for certain processes and services that are specific to VM environments such as VMwareService.exe, VMwareTray.exe, etc.
- Examining registry keys for values that are unique to virtual systems. In VMware, for example, there are over 300 references in the registry to “VMware.”
- Analyzing specific structures within system memory, such as the Interrupt Descriptor Table (IDT). This table is located in a different area for VM environments when compared to a real, physical machine.
- Identifying the BIOS serial number or MAC address of the virtual network adapter to reveal the vendor. MAC addresses beginning with 00-05-69, 00-0c-29, 00-1c-14 or 00-50-56 are associated with VMware.
- Looking to see if VM tools are installed. In a VMware Windows Workstation, for example, there are over 50 references in the file system to “VMware” or “VMX.”
For a more detailed look at evasion techniques employed by advanced malware, see our recent Labs blog post, Malware Evasion Techniques: Same Wolf – Different Clothing.
Since many, if not most commercial sandboxes rely on virtualization, it’s important for anyone deploying or upgrading their organization’s sandbox to carefully evaluate any product under consideration. It’s critical to know if the sandbox is based on virtualization, O/S emulation, or full hardware emulation.
Today’s malware is so sophisticated that it no longer makes sense to install a sandbox that relies on virtualization technology.